blog.deadcode.net

Rooting LG Nexus 4

ray — Fri, 28 Dec 2012 21:29:39 +0000

Ok! I got my new Nexus 4 last night and now I’m rooting it! Since I had experienced rooting Nexus S and Galaxy R, I’am pretty confident to do that again to my really new phone. It is better to do it as early as possible because rooting the phone always means resetting the phone to factory state.

Allow me to off-topic, here is my biased opinion to this new phone

I really think the overall size of Nexus S is the best. Nexus 4 is way too BIG to me.
Nexus 4 battery life is WAY TOOOOO SCARY.
It is really smooth and fast, compared with my old Nexus S. Android 4.2.1 is nice and I liked all the new features yeah.

Ok, back to the topic.

The procedures is pretty much the same as rooting nexus S indeed. My most concerns of rooting a phone are

Pick the safest procedures , never get the phone bricked!
Only install what really needed.
Do not replace stock recovery so that to enjoy further OTA update.

My procedures are mostly referred to this article, and I’ve performed a NAND backup just like what I did to my Nexus S before rooting the phone. This make the rooting even more ‘safest’.

Unlock bootloader

Download the Nexus 4 toolkit from xda developers forum.
Install toolkit to c:\
Run C:\Google Nexus 4 ToolKit\Toolkit.exe as Administrator
- Do you want to check if an Update is available [type yes or no]? no
- What Build do you have? [1. Android 4.2]
- To install the drivers to your PC:
  1. [1. Install/Uninstall google Nexus 4 Drivers on your PC]
  2. Select your operation system
  3. Select the suitable drivers to install
  4. In case a popup appeared. Click [Install this driver software anyway]
Switch on nexus 4, go to Settings / About Phone , click the [ Build number ] 7 times
Go to Settings / Developer options

Enable [USB debugging].
Now connect the Nexus 4 to the PC. The PC will begin to install the Nexus 4 driver.
Go back to the Toolkit window, input ’3′ [3 to unlock the bootloader]
1. Input 1. [1. UnLock Bootloader]
2. Input [no.] to reboot to fastboot mode
3. The phone will be rebooted. After reboot, use volumn up / down key to highlight [Yes, Unlock bootloader (may void warranty)],
  then press power button to continue
4. use volumn up / down key to highlight the green [Start], then
  press power button to start unlock bootloader
5. Once bootloader is unlocked, the device is resetted, you need to setup the phone
  all over again.
After setup, repeat step 4 and 5 to enable usb debugging option.

Backup Nand

Power off the phone
Press and hold volumn down button, then power on the phone. The phone will go to fastboot mode.
Press volumn up key until you see the red [Restart bootloader], then press power button once to continue.
After reboot, connect the usb cable.
Go back to Toolkit window, select [10. Boot to Custom/Stock Recovery without Permanently Flashing it]
1. Select [1. Boot to Clockworkmod Touch Recovery 6.0.1.9]
2. Type [yes] to continue.
  
  This will just boot (not flash) to CWM recovery.
Select [backup and restore] option.
- Select [backup]

This will backup the NAND.
Select [+++++Go Back+++++]
Select [reboot system now]
Backup /mnt/shell/emulated/clockwordmod/backup/* to your PC.

Root the phone

Go back to the Toolkit window
Select [4. Root/UnRoot Options]
1. Select [4. Boot CWM Recovery, Install Root, Busybox + Rename Restore Files]
2. Read the warning, make sure you meet all the requirements, then type [yes] to continue.
  The phone will be rebooted.
After reboot, click [install zip from sdcard]
Click [choose zip from sdcard]
Select [0]
Scroll down and select [SuperSU-0.98-Busybox-RenameRecoveryRestore.zip]
Finally click [Yes - Install Super...]
Select [+++++Go Back+++++]
Select [reboot system now]

Your phone is now rooted.

Reference

http://www.cursed4eva.com/root-nexus-4/

Modding Series 35 – Organizing photo by date, the automatical way

ray — Wed, 10 Oct 2012 17:59:33 +0000

I am really busy babysitting lately and really don’t have the time manually organizing all the baby’s photo anymore. I used to categorizes my photo like these:

/baby/1 months/2012-01-10 /baby/1 months/2012-01-11 . .

What I really need now is some kind of scripts or program to do these:

read all photo in a directory
extract the timestamp of the photo from exif, NOT from file timestamp
move all photo to subdirectory based on photo’s exif timestamp

Sound not much works, but I’ve got like 6 months didn’t have time sitting in front of a computer and got way too much of photo left un-categorized.

Did some search on google and here is how I get it done quickly on my old diskstation.

Download and install Exiv2

Prerequisites

Got at least the following ipkg optware package installed
- make
- gcc
Not really sure about the package dependency though, if anyone know, please update in the comment section below, thanks

Steps to download and install Exiv2

# SSH/Telnet to diskstation as root

# cd

# wget http://www.exiv2.org/exiv2-0.23.tar.gz

# tar xvzf exiv2-0.23.tar.gz

# cd exiv2

# ./configure

# make

# make install

Script to create directories by datestamp

Since exiv2 does not create directory, I need a script to create the directory for me. Below is a simple one I found on the net.

Create the script:

# cd ~
# vi mkDir.pl

Copy and paste the script below:

#!/usr/bin/perl
use strict; use warnings; use Time::Local; use POSIX 'strftime'; my $start = date2epoch('2012-04-01'); my $end = date2epoch('2012-10-08'); my $curr = $start; while ($curr <= $end) { my $mydate = strftime "%Y-%m-%d", localtime($curr); mkdir $mydate; $curr += 24 * 60 * 60; } sub date2epoch { my ($y, $m, $d) = split /-/, shift;
return timelocal(0, 0, 12, $d, $m - 1, $y - 1900); }

As highlighted in red above, the script will create directories like that

./2012-04-01 ./2012-04-02 . . ./2012-10-08

Get the works done

Now all the tools are ready...

# cd /volume1/photo/baby

# cp ~/mkDir.pl .

# perl ./mkDir.pl

# exiv2 mv -r "%Y-%m-%d/:basename:" *

Done!! Just a few commands all the photo were moved to all subdirectories created by mkDir.pl perl script.

Rollback Nexus S from 4.1.1 to 2.3.6

ray — Fri, 10 Aug 2012 20:50:55 +0000

Hate the performance and poor apps compatibilty for 4.1.1. I decided to rollback my phone to 2.3.6.

Luckily I did a full nand backup using clockworkmod and here is how I rollback the phone

Copy the nand backup to /sdcard/clockworkmod/backup
Setting / Application settings / Development / Click USB debugging
Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
Now connect the usb cable to the phone and the PC
Double click the ‘c:\adb\install-fastboot-windows.bat’.
Use volumn button and navigate to ‘Backup and Restore’, then click power button to confirm. Then navigate to ‘Restore’, then select the nand backup directory.
Press power button to confirm and your phone will be back to 2.3.6.

Rooting ICS 4.0.4 for Nexus S

ray — Wed, 30 May 2012 17:50:24 +0000

I have a rooted Nexus S running 2.3.6 and recently upgraded to ICS 4.0.4 through OTA upgrade.

I’m sooooooo happy that the superuser package is still there and the ICS is already rooted after OTA.

However, a week after ICS upgrade, I received superuser app upgrade notice from Play Store and I gratefully hit the update button and voila…..the root no longer works..

The first things always have to do is google again and downloaded myself a new superuser package, repeat my tutorial about rooting nexus s 2.3.6 using the new superuser app and everything works fine again.

If you have a unrooted phone, you need to start from the first step of my previous article. If you like me, which have a rooted phone and need to update the superuser package only, follow the summary below.

Download the superuser package to the phone’s sdcard root directory.
Download the adb4.zip to your pc, extract it.
Go to the phone’s Setting / Application settings / Development
Click USB debugging
Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
Now connect the usb cable to the phone and the PC
Double click the ‘c:\adb\install-fastboot-windows.bat’.
Select ‘Install zip from sdcard’
Select ‘Choose zip from sdcard’
Select the ‘Superuser-3.0.7-efghi-signed.zip’ from the sdcard
After installed the su package, select ‘Reboot System Now’

Install OpenVPN Client on Nexus S

ray — Thu, 08 Dec 2011 15:51:00 +0000

Steps below is how I setup OpenVPN client on my Nexus S to connect to the OpenVPN server on my Synology NAS DS207+.

Root the phone first.
Go to market and download busybox . Install busybox to /system/xbin.
Go to market and download ES File Explorer. Using ES file explorer and mount root / as writable.
Go to market and download sshdroid.
Download putty and ssh to android (user root, password admin), executes the comment below

# busybox mkdir /system/xbin/bb # ln -s /system/xbin/busybox /system/xbin/bb/ifconfig # ln -s /system/xbin/busybox /system/xbin/bb/route
Download tun.ko and copy to android /system/modules
Go to market again and download openvpn installer and openvpn settings
Open OpenVPN Installer and click ‘Install’ button.
.

Click Install again to confirm installation.

Choose ‘/system/xbin’.

Keep clicking allow button to continue.
Open OpenVPN Settings, click Menu/Advanced
- Click ‘Load tun kernel module’
- Input ‘/sdcard/openvpn’ as path to configurations
- Input ‘/system/xbin/openvpn’ as path to openvpn binary

- Click ‘TUN module settings’, in ‘Load module using’, select ‘insmod’ and input ‘/system/modules/tun.ko’ as ‘path to tun module’.
Connect your phone with the usb cable, create a ‘openvpn’ directory to the sdcard root. Copy the OpenVPN client config file i.e. client.ovpn, ca.crt, client.crt, client.key, ta.key to the /sdcard/openvpn directory.
Back to OpenVPN Setting, click OpenVPN to turn on OpenVPN. Long click the OpenVPN client config and then click Preferences from the popup menu.
Select ‘Built-in + Scripts (passwords)’ for Script Security Level.

Root Nexus S 2.3.6 – the perfect way

ray — Tue, 06 Dec 2011 21:06:06 +0000

Tested device: GRK39F I9023
Android vers: 2.3.6

UPDATE 2012-04-05

I just received OTA 4.0.4 update notification from my rooted nexus s

DISCLAIMER

Rooting a device requires RESETTING the phone. This will erase ALL EXISTING DATA on your phone’s memory, SD card and usb storage!

Rooting also can brick your phone and void your warranty!

Make sure you backup everything before continue, you are warned.

Any downloads here is get from some android forum, I am not sure it is virus free.

Take your own risk. I’m not responsible for any loss following any steps below.

The steps here DO NOT FLASH CUSTOM RECOVERY, so it should not avoid google’s OTA update.

UNLOCK BOOTLOADER

Download adb4.zip and extract adb folder to c:\
Download and extract Nexus_S_Drivers_x86_%26_x64.zip to any folder
Download and copy su-2.3.6.1-ef-signed.zip to the root of the phone’s sd card
Setting / Application settings / DevelopmentClick USB debugging
Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
Now connect the usb cable to the phone and the PC
When installing the driver to PC, select the folder where you extracted the Nexus_S_Drivers_x86_%26_x64.rar, install the driver to your PC.
Once the driver is installed, no, it is not done yet. Open Control Panel, click Device Manager, from ‘Other Devices’, you should found ‘Android 1.0′ with a yellow ‘!’.
Right click the ‘Android 1.0′, click properties button.
Click ‘Device Driver’ tab, then click the ‘Update Device Driver (P)’ button
Navigate to [Nexus_S_Drivers_x86_%26_X64\x86\usbwin’ from the file dialog and then click ok. Now the ‘Android 1.0′ driver should be installed.
double click the c:\adb\install-unlock.bat
Select ‘Yes’ on your phone then press the power button once.
After reboot, then select ‘Reboot’ and press the power button once again.

BACKUP NAND

Before rooting the phone, it is better to backup the nand first.

Disconnect the usb cable
Setting / Application settings / DevelopmentClick USB debugging
Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
Now connect the usb cable to the phone and the PC
Double click the ‘c:\adb\install-fastboot-windows.bat’.
Select ‘Backup and restore’, then select ‘Backup’
After Backup, select ‘Reboot System Now’
Connect the phone to PC using usb cable. Backup the sdcard:/clockworkmod/backup folder to your PC.

ROOT THE PHONE

Disconnect the usb cable
Setting / Application settings / DevelopmentClick USB debugging
Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
Now connect the usb cable to the phone and the PC
Double click the ‘c:\adb\install-fastboot-windows.bat’.
Select ‘Install zip from sdcard’
Select ‘Choose zip from sdcard’
Select the ‘su-2.3.6.1-ef-signed.zip’ from the sdcard
After installed the su package, select ‘Reboot System Now’

Reference

Mobile01 – I9023 ROOT教學

Synology DS207+ modding series 34 – FreeRadius Accounting for OpenVPN with MySQL and daloRadius

ray — Fri, 25 Nov 2011 20:58:08 +0000

Prerequisite

I’m using daloRadius as accounting and reporting tools here. The management function is not used (except NAS client part).

Install daloRadius

Download daloRadius 0.9.9 package

# cd /volume1/web # wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz # tar xvzf daloradius-0.9-9.tar.gz # rm daloradius-0.9-9.tar.gz # chown -R nobody:nobody /volume1/web/daloradius-0.9-9 # chown 644 /volume1/web/daloradius-0.9-9/library/daloradius.conf.php

Edit /volume1/web/daloradius-0.9-9/library/daloradius.conf.php, update the values as below

$configValues['CONFIG_DB_USER'] = 'radius'; $configValues['CONFIG_DB_PASS'] = 'radpass'; $configValues['CONFIG_DB_NAME'] = 'radiusdb'; $configValues['CONFIG_FILE_RADIUS_PROXY'] = '/opt/etc/raddb/proxy.conf'; $configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/opt/var/daloradius'; $configValues['CONFIG_LOG_FILE'] = '/opt/var/log/daloradius.log';

Follow up

# mkdir /opt/var/daloradius # chown nobody:nobody /opt/var/daloradius # touch /opt/var/log/daloradius.log # chown nobody:nobody /opt/var/log/daloradius.log

Create and import the database

# /usr/syno/mysql/bin/mysql -u root -p
> CREATE DATABASE radiusdb; > GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpass"; > GRANT ALL ON radiusdb.* TO radius@127.0.0.1 IDENTIFIED BY "radpass"; > exit;
# cd /volume1/web/daloradius-0.9-9/contrib/db # /usr/syno/mysql/bin/mysql -u radius -p radiusdb < fr2-mysql-daloradius-and-freeradius.sql # password: radpass

Install PHP extension

Install php-pear and php-pear-db

# ipkg install php-pear # pear config-set php_bin /usr/bin/php # cd /opt/share/pear # wget http://download.pear.php.net/package/DB-1.7.14.tgz # mv DB-1.7.14.tgz DB.tgz # tar xvzf DB.tgz # chown -R nobody:nobody /opt/share/pear

Edit php configuration

# vi /usr/syno/etc/php.ini

include_path = .:/php/includes:/opt/share/pear:/opt/share/pear/DB

# vi /usr/syno/etc/php/user-setting.ini

append /opt/share/pear:/opt/share/pear/DB to open_basedir

Install php-gd

# ipkg install php-gd

Synology DS207+ modding series 33 – Install MOTP and integrate with FreeRadius

ray — Sun, 13 Nov 2011 17:42:04 +0000

MOTP stands for mobile one time password which provides one time password services.

Download and install otp server

Login to DS as root
mkdir -p /opt/usr/local/bin
cd /opt/usr/local/bin
Download otp server script
# wget http://motp.sourceforge.net/bash/otpverify.sh
Install necessary library
# ipkg install findutils
# ipkg install md5deep
# ipkg install bash

Edit otpverify.sh

# vi /opt/usr/local/bin/otpverify.sh

Changes highlighted in red.


#!/opt/bin/bash
#
# Mobile One Time Passwords (Mobile-OTP) for Java 2 Micro Edition, J2ME
# written by Matthias Straub, Heilbronn, Germany, 2003
# (c) 2003 by Matthias Straub
#
# Version 1.05a
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Library General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
# 
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Library General Public License for more details.
#
# arguments:  $1 $2 $3 $4 $5
# $1 - username
# $2 - one-time-password that is to be checked 
# $3 - init-secred from token (to init token: #**#)
# $4 - user PIN
# $5 - time difference between token and server in 10s of seconds (360 = 1 hour)
#
# one-time-password must match md5(EPOCHTIME+SECRET+PIN)
# 

#
# otpverify.sh version 1.04b, Feb. 2003
# otpverify.sh version 1.04c, Nov. 2008
#  changed line 1 to ksh because of problems with todays bash an sh
# otpverify.sh version 1.05a, Jan. 2011
#  changed back to bash and added in shopts line to ensure aliases handled
#  correctly (bash is always available on any modern *nix unlike ksh)
#

PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/usr/local/bin:/opt/bin:/opt/sbin

# ensure aliases are expanded by bash
shopt -s expand_aliases

if [ -e "`which md5 2>/dev/null`" ]
then
	alias checksum=md5
	have_md5="true"
fi
if [ -e "`which md5sum 2>/dev/null`" ]
then
	alias checksum=md5sum
	have_md5="true"
fi


alias checksum=md5deep
have_md5="true"


if [ $have_md5 != "true" ]
then
	echo "No md5 or md5sum available on server!"
	exit 16
fi

function chop
{
	num=`echo -n "$1" | wc -c | sed 's/ //g' `
	nummin1=`expr $num "-" 1`
	echo -n "$1" | cut -b 1-$nummin1 
}

if [ ! $# -eq 5 ] ; then
echo "USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset"
exit 14
fi

mkdir /opt/var/motp 2>/dev/null
mkdir /opt/var/motp/cache 2>/dev/null
mkdir /opt/var/motp/users 2>/dev/null
chmod og-rxw /opt/var/motp 2>/dev/null || { echo "FAIL! Need write-access to /opt/var/motp"; exit 17; }
chmod og-rxw /opt/var/motp/cache
chmod og-rxw /opt/var/motp/users

USERNAME=`echo -n "$1" | sed 's/[^0-9a-zA-Z._-]/X/g' `
PASSWD=`echo -n "$2" | sed 's/[^0-9a-f]/0/g' `
SECRET=`echo -n "$3" | sed 's/[^0-9a-f]/0/g' `
PIN=`echo -n "$4" | sed 's/[^0-9]/0/g' `
OFFSET=`echo -n "$5" | sed 's/[^0-9]/0/g' `
EPOCHTIME=`date +%s` ; EPOCHTIME=`chop $EPOCHTIME`

# delete old logins
/opt/bin/find /opt/var/motp/cache -type f -cmin +5 | xargs rm 2>/dev/null

if [ -e "/opt/var/motp/cache/$PASSWD" ]; then
	echo "FAIL"
	exit 15
fi

# account locked?
if [ "`cat /opt/var/motp/users/$USERNAME 2>/dev/null`" == "8" ]; then
	echo "FAIL"
	exit 13
fi

I=0
EPOCHTIME=`expr $EPOCHTIME - 18`
EPOCHTIME=`expr $EPOCHTIME + $OFFSET`
while [ $I -lt 36 ] ; do # 3 minutes before and after
	OTP=`printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6`
	if [ "$OTP" = "$PASSWD" ] ; then
		/bin/touch /opt/var/motp/cache/$OTP || { echo "FAIL! Need write-access to /opt/var/motp" ; exit 17; }
		echo "ACCEPT"
		rm "/opt/var/motp/users/$USERNAME" 2>/dev/null
		exit 0
	fi
	I=`expr $I + 1`
	EPOCHTIME=`expr $EPOCHTIME + 1`
done

echo "FAIL"
NUMFAILS=`cat "/opt/var/motp/users/$USERNAME" 2>/dev/null`
if [ "$NUMFAILS" = "" ]; then
	NUMFAILS=0
fi
NUMFAILS=`expr $NUMFAILS + 1`
echo $NUMFAILS > "/opt/var/motp/users/$USERNAME"
exit 11

In case there is a newer version of this server script released in the future, here is the summary of changes:

line 1 should point to optware bash: /opt/bin/bash
The script will only looks for md5 and md5sum binary, however, we are using md5deep from optware instead. Add two lines to assign md5deep as checksum binary.
Add 10 to all error code, otherwise it will fail the FreeRadius server
Basically I’ve appended /opt to every path inside the script.
It need the find binary. We should use the binary provided by optware instead of using the system default binary.

# chmod 755 /opt/usr/local/bin/otpverify.sh

Download and setup Android motp client

Since I’ve an Android phone, I install the motp client to my phone.

Download the android motp client ‘Mobile-OTP’ from url below
http://motp.sourceforge.net/Mobile-OTP.apk
Install the apk to the phone
Run the Mobile-OTP.
Input #**# and click ‘Calculate OTP’ button. An init-secret value will be generated. Copy the init-secret and paste it to somewhere, i.e. notepad.
Input 1234 and click ‘Calculate OTP’ button again. An one time password will be generated.
Now test the setup, SSH to the DiskStation as root and run the command as below:

# /opt/usr/local/bin/otpverify.sh testuser [one-time-password] [Init-secret] 1234 0

If you run the command fast enough, the script should return “ACCEPT”. If you got a “FAIL”, repeats again by generating a new one-time-password and execute the command again couple times until you got “ACCEPT”. Make sure the Init-secret and One-time-password is input correctly.

FreeRadius changes

SSH to DS as root
# cd /opt/etc/raddb
# wget http://motp.sourceforge.net/dictionary.motp
Edit /opt/etc/raddb/dictionary, add following line to the end of the file
$INCLUDE dictionary.motp
Although I don’t think this step is needed, but it is suggested by the official installation guide.
# wget http://motp.sourceforge.net/execparams
Add a test user by editing /opt/etc/raddb/users file. Add following lines to the end of the file.
```
testuser Auth-Type = Accept
    Exec-Program-Wait = "/opt/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} 123412341234 1234 0",
    Fall-Through = Yes,
    Reply-Message = "Hello, %{User-Name}"
```
where 123412341234 is the init-secret and 1234 is the pin of the test user. Replace the value of init-secret with the one generated by the Android OTP client.
Generate a new One-time-password using the Android OTP client (input 1234 and click ‘Calculate OTP’ button), then test the freeradius setup by executing the command below:

# radtest testuser [one-time-password] localhost 0 [FreeRadius shared secret password]

If success, you should got a response similar to below:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=48, length=46 Reply-Message = "Hello, testuser "

Now my services like OpenVPN and Squid accept OTP login

Resources

Mobile-OTP

Synology modding series 32 – Setup Wifi WPA2 Enterprise with Freeradius+Openldap/Client Certificate

ray — Sat, 12 Nov 2011 16:02:05 +0000

Prerequisite

Setup FreeRadius to support EAP-PEAP-TLS

SSH to DS as root
Edit /opt/etc/raddb/radiusd.conf, add following line to the config file
$INCLUDE ${confdir}/sites-enabled/

# vi /opt/etc/raddb/radiusd.conf
# add sites-enabled to the config $INCLUDE ${confdir}/sites-enabled/

Edit /opt/etc/raddb/radiusd.conf again, looks for the authenticate section and then add mschap within the section.


# vi /opt/etc/raddb/radiusd.conf

authenticate {
 .
 .
 .
  # add mschap
  mschap
}

Looks for modules section and add three lines within modules section as below


# vi /opt/etc/raddb/radiusd.conf

modules {
 # add expiration, logintime and attr_filter modules
 $INCLUDE ${confdir}/modules/expiration
 $INCLUDE ${confdir}/modules/logintime
 $INCLUDE ${confdir}/modules/attr_filter

}

Edit /opt/etc/raddb/eap.conf, change default_eap_type to peap.


# vi /opt/etc/raddb/eap.conf

.
.
default_eap_type = peap
.
.

Edit /opt/etc/raddb/sites-enabled/default, looks for authorize section and un-comment the ldap line.


# vi /opt/etc/raddb/sites-enabled/default

authorize {
.
.
# un-comment the ldap 
 ldap
.
.
}

Then looks for authenticate section and uncomment Auth-Type LDAP as well.


# vi /opt/etc/raddb/sites-enabled/default

authenticate {
.
.
# un-comment the ldap 
 Auth-Type LDAP{
     ldap
 }
.
.
}

Edit /opt/etc/raddb/sites-enabled/inner-tunnel, looks for authorize section and un-comment the ldap line.


# vi /opt/etc/raddb/sites-enabled/inner-tunnel

authorize {
.
.
# un-comment the ldap 
 ldap
.
.
}

Then looks for authenticate section and uncomment Auth-Type LDAP as well.


# vi /opt/etc/raddb/sites-enabled/inner-tunnel

authenticate {
.
.
# un-comment the ldap 
 Auth-Type LDAP{
     ldap
 }
.
.
}

Edit /opt/etc/raddb/clients.conf, add the Wifi Access Point to the config file.
# vi /opt/etc/raddb/clients.conf
# add access point details here, 192.168.0.1 is the ip of the access point client 192.168.0.1 { secret = [shared secret password of radius server] shortname = [SSID of the access point] nastype = other }
If you have firewall activate on your diskstation, make sure to add a firewall rule to allow the wifi access point to access the udp port 1812, 1813 and 1814.

For now the radius server is already able to perform authentication for wpa/wpa2 enterprise!

Generate client certificate

If you do not plan to perform authorization using client certificate, you can skip this part.

SSH to DS as root
Edit /opt/etc/raddb/certs/client.cnf, refer to modding series 21 for details about this client certificate config file.
** IMPORTANT The Country Name, State and Organization Name MUST match the value of the CA.
Before we generate the client certificate, we MUST backup the original certificate first.

# cd /opt/etc/raddb # cp -r certs certs.b4genclient
Generate a client certificate

# cd /opt/etc/raddb/certs # make client.pem

If you want to generate another client certificate for other wifi client. Edit the client.cnf and run make client.pem again. If make failed and said it couldn’t load a certificate, just copy the server.crt from backup directory and try again.

# cp /opt/etc/raddb/certs.b4genclient/server.crt /opt/etc/raddb/certs # make client.pem

Synology modding series 31 – Capturing Tomato Router Logs using syslog-ng

ray — Sat, 27 Aug 2011 09:25:45 +0000

Since NAS is running 24×7, it is the best device to capture my tomato router logs.

Install and Setup Syslog-ng

Login to NAS using ssh/telnet as root
install syslog-ng
#ipkg install syslog-ng

The glib and eventlog packages should be installed by ipkg as well.
Backup syslog-ng configuration
#cd /opt/etc/syslog-ng
#mv syslog-ng.conf syslog-ng.conf.bak
Create configuration file
# vi /opt/etc/syslog-ng.conf

Below is my syslog-ng configuration to capture only the tomato router log

options { long_hostnames(off); sync(0); };
source src{ internal(); udp(port(5140)); }; destination tomatolog { file("/opt/var/log/tomato.log"); };
log { source(src); destination(wrt54glog); };

I’m using 5140 udp port, change to your own preferred port.
Run the syslog-ng server
# /opt/etc/init.d/S01syslog-ng start
If you have enabled the NAS firewall, you need to insert a firewall rule to allow the inbound logging traffic from the tomato router.
Open a browser and go to the NAS control panel. Navigate to Control Panel / Firewall section. Click ‘Create’ button to create a new firewall rule.

Ports:
Custom Port Type: Destination port
Protocol: UDP
Ports: 5140

Source IP
IP address: [IP address of tomato router, i.e. 192.168.1.1]

Action
Allow

Setup Tomato Router

Open a browser and go to tomato admin page
Navigate to Administration / Logging page
Unclick the ‘Log Internally’
Click the ‘Log To Remote System’
Input the NAS IP address and syslog-ng port (which is 5140 defined in the syslog-ng.conf file)
Choose the event(s) you want to capture.
Input ’0′ in the limit textbox.
Click ‘Save’ button.

The router log is configured to /opt/var/log/tomato.log.